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Abstract — Recently, a Quantum Key Exchange protocol that 
uses squeezed states was presented by Gottesman and Preskill. In 
this paper we give a generic security proof for this protocol. The 
method used for this generic security proof is based on recent 
work by Christiandl, Renner and Ekert. 

I. Introduction 

In a Quantum Key Exchange (QKE) protocol there are three 
parties; Alice and Bob who want to exchange a secret key 
and a malicious third party, Eve. Eve has access to unlimited 
quantum computational power and she can monitor but not 
alter all public communication between Alice and Bob. Alice 
and Bob can access a quantum communication channel (we 
assume that this channel is lossless) and an authenticated 
public channel. 

Following a certain QKE protocol, Alice and Bob transmit 
quantum states over their quantum communication channel 
and perform measurements on their respective quantum states. 
From the measurements they extract bit values. By communi- 
cation over the authenticated public channel, Alice and Bob 
agree which bits will be used for secret key generation. They 
estimate the bit error rate e of these key bits with another 
round of public communication. Alice and Bob then apply 
information reconciliation and privacy amplification to the key 
bits so that they end with a shared bit string K. 

In [1], a generic security proof is proposed by which the 
security of a wide class of QKE protocols is proved. It is based 
on the fact that privacy amplification is equally secure when 
an adversary's memory for data storage is quantum rather than 
classical ([2]). The generic security proof gives Alice and Bob 
a threshold d for the bit error rate e. This means that if e < d, 
then K is unconditionally secure. The generic security proof 
is applicable to QKE protocols that involve quantum systems 
with a finite number of degrees of freedom (in [1] and in [5] 
it was proved that BB84 is secure for e < 11%). It does not 
immediately apply however to QKE protocols using quantum 
systems with an infinite number of degrees of freedom. 

BB84 ([3]) is a QKE protocol that works with two- 
dimensional quantum bits (qubits) which are encoded by single 
photons polarized in one out of two non-orthogonal bases. The 
unconditional security of BB84 is based on Alice's ability 
to prepare single photons, something that is still extremely 
difficult. 



In [4], a QKE protocol, which we denote by GPOO, was pre- 
sented that resembles BB84 but solves the problem of prepar- 
ing single photons. GPOO works with infinite-dimensional 
squeezed states, which can be prepared by a laser. The 
squeezing parameter r determines the amount of squeezing 
of a squeezed state. The more squeezing, the more difficult 
a squeezed state is to prepare, therefore we need a lower 
bound for r. In [4] it was proved that the protocol is secure 
if e < 11% hence if r > 0.289. In this paper we apply the 
generic security proof to GPOO and find the same thresholds. 
A generic security proof is advantageous because it can give 
more insight in the security of similar protocols. Further, we 
will discuss some remaining security issues of GPOO. Finally, 
we pay some attention to transmitting more than one bit per 
squeezed state. 

II. Squeezed States 

Let a S C and £ = re 1 ^ with r G K and <f> G [0, it). To every 
C, a there corresponds a squeezed state denoted by \(,a). It 
satisfies with equality the Heisenberg uncertainty relation with 
respect to the position and momentum operators x and p if 
and only if <j> = so £ = r € R. That is, a x a p = \. 
In fact, if we measure the position or the momentum of 
the squeezed state | ( ~ r,a), then the measured value x 
or p is distributed according to a Gaussian distribution with 
variance equal to respectively c 2 , = |e 2r or a p — |e _2r . 
We say that r is the squeezing parameter and that \r, a) is a 
minimum uncertainty squeezed state. If r < 0, then er 2 < <r 2 




Fig. 1. Measurement probability distributions for measuring the position or 
the momentum of a squeezed state squeezed in a) x and b) p. 



and the squeezed state is "squeezed" in x. If r > 0, then 



the squeezed state is "squeezed" in p (see Fig. [Q. After a 
measurement of position value x or momentum value p, the 
squeezed state collapses to respectively a position eigenstate 
| a;) or a momentum eigenstate \p). 

III. Bit Encoding and Decoding Scheme for GPOO 

First we fix f > 0. All squeezed states are squeezed with 
squeezing parameter r = — f (for squeezing in x) or r = f 
(for squeezing in p). We divide the real numbers into two sets 
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Fig. 2. Bit encoding intervals Co and £i. 



of intervals Co and £i as in Fig. [2] Alice samples a £ K from 
the Gaussian Pa (a) with mean and variance \e 2r ~ 



Pa{o) = 



1 



: exp 



,2r 



(1) 
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If a £ £o> Alice extracts bit 0, otherwise she extracts bit 1. 
She prepares a squeezed state squeezed in x or p at random. 
If she squeezes in x, she sends to Bob 

(x) = a' = ay/1 - e" 4f 
(p) =0 



r, a 



with 



If she squeezes in p, she sends to Bob the squeezed state 



If, a) with 



(P) 
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= a! = ay/l — 
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For every squeezed state Alice computes and announces = 
a mod where < <fi < y/n. Note that there exists an 
n a E Z such that a = n a y/Tr + (f>. Every value for <fr should be 
equally likely because then P(a £ Co\(f>) = P(a € Co) = 0.5 
such that <j) leaks no information to Eve (we further discuss 
this in Section llXll . 

For every squeezed state Bob decides at random to measure 
the position or the momentum. Suppose that the outcome of 
his measurement is b and denote the difference of Alice's and 
Bob's value by S = b — a. Note that b — </> = n a y/ir + 5. 
Bob extracts bit value if b — <f> = n a yfir + 5 rounded to the 
nearest integer multiple of \pK is an even multiple of y/n and 
bit value 1 otherwise. 
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Fig. 3. Bit decoding interval C. 



If we define the decoding interval C as in Fig. [3] then Alice 
and Bob find the same bit if 6 = b — a € C. This is because if 
6 € C, then n a y / 7r+5 rounded to the nearest integer multiple of 
y/n is equal to n a \pK- They find different bits if <5 = i>— a ^ C. 



IV. Bit Extraction Probabilities for GPOO 

If Alice and Bob use different bases, then the value mea- 
sured by Bob has a Gaussian distribution centered at 0. This 
distribution is shown as the graph on the left in Fig. |4] for 
a = The marked area pictures the values of b for which 

b — a e C and represents the probability that Alice and Bob 
find the same bit. This probability equals 0.5 if a — \\pH- In 
fact, this probability is maximal if a — Iriyfii, is equal to 0.5 
if a = (2n + ^)y/n and is minimal if a = (2n + 1)\/tt- This 
means that if all values for <f> are equally likely, then the bit 
extracted by Bob is on average random. The corresponding 
cases in the protocol can therefore be discarded. If Alice and 
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Fig. 4. Bit correct probability if a) different basis are used and a = \\px 
and b) the same basis is used and a! — a = \\pK . 



Bob use the same basis, then the probability that they find 
the same bit is dependent on the distance between a, the 
value from which Alice extracts her bit, and a', the mean 
value of Bob's squeezed state. This is illustrated in the graph 
on the right in Fig. |4] for a' — a = \\pix. We denote the 
average probability that Alice and Bob find the same bit, given 
that they use the same basis, by 1 — e s . For illustration, this 
probability is 0.89 if f = 0.289 and if f — > oo it will approach 
1. Note that even if Alice and Bob use the same basis then, 
in contrast to BB84, they find the same bit with probability 
smaller than 1. This means that because of using squeezed 
states, additional quantum noise is introduced (e s ). 

V. The protocol GPOO 

We give the description of the protocol. At the end of the 
protocol, just before information reconciliation and privacy 
amplification, Alice and Bob each have an n-bit string respec- 
tively X and Y. After information reconciliation and privacy 
amplification they have a shared secure key K of length k < n. 

1) Alice prepares approximately An squeezed states. For 
every squeezed state she decides to squeeze it in x or in p 
at random. She prepares the squeezed states according to 
the encoding scheme described in the previous sections. 
For every squeezed state she extracts a bit value. She 
sends the squeezed states to Bob. 

2) For each squeezed state, Bob decides to measure the 
position or the momentum at random. 

3) Bob confirms having received the squeezed states. Alice 
and Bob announce which bases they used. 

4) Alice and Bob discard the cases where they did not 
use the same basis. From the remaining approximately 
4n/2 = 2n bits Alice chooses n to serve as check 



bits and n to serve as key bits. For the squeezed 
states corresponding to these check and key bits, Alice 
computes (j>. Alice sends all </>'s and the chosen positions 
of the check and key bits to Bob such that Bob can 
extract check and key bits from his measured values. 
Alice and Bob's resulting key bit strings are X and Y. 

5) Alice and Bob announce their check bits to estimate the 
bit error rate e. 

6) If e < 11%, then information reconciliation and privacy 
amplification follow such that Alice and Bob end with 
a shared secret key K. 

An important difference between GPOO and BB84 is that Bob 
needs additional information <j> about the squeezed states to 
extract bit values from his measured values. Noise (e) is not 
only caused by the channel or by Eve, but also by the natural 
noise of squeezed states (e s ). If f — * oo, then e s — * and 
GPOO approaches the continuous version of BB84. 

VI. The Generic Security Proof 

The generic security proof [1] can be applied to a generic 
QKE protocol equivalent to an entanglement based protocol. 
A dealer prepares entangled states and sends one part of the 
entangled state to Alice and the other part to Bob. Let the 
measurements that Alice and Bob randomly apply to their 
received quantum states be the POVM's T and Q and let the bit 
error rate of the bits extracted from the measurements be e. Let 
7Z be the set of all density operators p (describing the quantum 
state of two systems) for which it holds that if p is measured 
with respect to T % T or Q <g) Q, then the two bits extracted 
from the measurement have bit error probability e. Thus 1Z is 
the set of all possible density operators describing the mutual 
state of Alice and Bob, given that the bit error rate is equal to 
e. Let Z be a projective measurement on the density operator 
p € 1Z with outcome described by the random variable Z. Let 
X and Y be random variables such that Alice's and Bob's bit 
strings consist of n realizations of these variables. The secret 
key rate R is now given by ([1]) 



momentum eigenstates) are as follows ([4]) 



R 



H{X)-H{X\Y)-Bxg pe - R mBxH{Z). (2) 



The rate might be improved by conditioning on additional 
information W, known only by Alice and Bob and gained 
during privacy amplification. The rate then becomes 

R = H(X\W)- H(X\Y)-axg peR maxH(Z\W). (3) 

The generic security proof consists in finding the maximum 
error rate e such that R is still positive and hence the extracted 
secret key K is secure. 

VII. Entanglement Based version of GPOO 

To be able to apply the generic proof to GPOO, we regard 
it as an entanglement based protocol. The entangled states 
prepared by the dealer (given in both position eigenstates and 
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where < A 2 < 1. For A 2 < 1, \ip) is an entangled state. 

Alice and Bob both get a part of this entangled state. If 
Alice measures the position of her part, she measures position 
value x a with probability 

P x {x a ) = -= exp [-A 2 x 2 a ] . 



By this measurement, she prepares for Bob the state 



1 
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\x b )dx b , 



which is a squeezed state squeezed in x with mean position 
value \fl — A A x a and mean momentum value 0. If Alice 
measures the momentum of her part, she measures value p a 
with probability P p (p a ) = Px{pa)- By this measurement, she 
prepares for Bob a squeezed state squeezed in p with mean 
momentum value — vl — A A p a and mean position 0. 

If we choose A 2 = e~ 2r , then the entanglement based 
protocol is equivalent to GPOO; from Eq. [2 we see that 
Px( x a) — Pp( x a) — Pa{ x o) an d the squeezed states produced 
by Alice's measurements in the entanglement based version 
are equal to the squeezed states sent by Alice in GPOO. Note 
that in the entanglement based version, the mean momentum 
value is — yl — A^p a rather than VT — A^p a . This means 
that Alice extracts a bit value and calculates </> from —p a rather 
than from p a if she measured the momentum and from x a if 
she measured the position. Alice and Bob find the same bit if 
x b - x a e C or p b - (-p a ) =p b +Pa^C. 

VIII. Generic Security Proof of GPOO 
Let e be the bit error probability of the check bits. Let the 
density operator p G TZ; if of both parts of p the position 
is measured or the momentum, then the probability that the 
extracted bits differ is equal to e. This can be formulated by 
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where e.g. (x ai x a + x\p\x a ,x a + x) is the probability that 
Alice measures position value x a and Bob measures position 
value x a + x. 



As projective measurement Z we choose the continu- 
ous Bell measurement which is given by the projectors 

{\i/](x,p)){<tl>(x,p)\\x,p e K} with 



\ip(x,p)) = I e lpXa \x a ,x a +x)dx a 

) 

e MPa |p a , -Pa +p)dp a . 



If we define 



Xx P = (ip(x,p)\p\ip(x,p)}, 



then X xp is the probability that if Alice and Bob both measure 
the position, then the difference of their outcomes is x and 
if they both measure the momentum, then the sum of their 
outcomes equals p. If x = xj, — x a E C or p = pb + p a € C, 
then Alice and Bob extract the same bit and if x ^ C or p ^ C 
they extract different bits. 

We let Z, the random variable that describes the outcome of 
the projective measurement Z, describe whether or not Alice 
and Bob will find the same bit, given that they both use the 
same basis. This leads to four different values (situations) for 
Z; we obtain the four probabilities corresponding to the four 
different values of Z by grouping the probabilities \ xp in the 
following way 



Ai = / / X xp dxdp 
lp£C Jxec 



A, = 



A, 



\ xp dxdp 



pec Jx<£C 



X xp dxdp. 



A 2 = / / X xp dxdp 

Jp^cJxec Jp£CJx£c 

For illustration, A2 is the probability that if Alice and Bob both 
measure the position, they find the same bit and if they both 
measure the momentum, they find different bits. Eqs. J4I5I6I7> 
can be rewritten as 

Ai + A 2 = 1 — e A 3 + A4 = e 
Ai + A3 = 1 - e A 2 + A4 = e 

With these relations, Ai, A 2 and A3 can be expressed in terms 
of A4. The entropy of the random variable Z is given by 

4 

H(Z) = -J2^og 2 A,; 

i=l 

and is maximized for A4 = e 2 and then H(Z) — 2h(e). The 
secret key bit rate becomes (Eq. [5J 

R = 1 - h{e) - 2h(e) = 1 - 3h(e). 

This rate is positive for e < 6.1%. 

We improve the rate by using the additional information 
W — X + Y gained during privacy amplification. It holds that 

H(Z\W) = ^ mQtl} P(W = i)H(Z\W = i) 

= H(Z)-h(e). 

The entropy H(Z\W) is maximized for A4 = e 2 and then 
H{Z\W) = h(e). The rate R becomes (Eq.Q 

R = 1 - h{e) - h{e) = 1 - 2h(e) 



which is positive for e < 11%. This means that GPOO is secure 
if e < 11%. Because the noise generated by squeezed states 
(e s ) contributes to the total noise e, we have e s < e. With 
calculations we find that e s < 11% if f > 0.289. This means 
that GPOO can only be secure if squeezed states are squeezed 
with squeezing parameter f > 0.289. 

IX. Randomization issue of (f). 

In GPOO, Alice announces <f> = a mod y/w. For uncondi- 
tional security it has to hold that P(a £ iZol^) = P(a G £0) = 
0.5 because then Alice can safely announce <f> since it leaks no 
information to Eve. The probability P(a G £o\4>) is maximal 
at <f> = 0, equal to 0.5 if <p — \\px and minimal at <p = \pii- 
For f = 0.289 we find e.g. that P(a £ £ |</> = 0) = 0.745 
which is rather high; it means that <fi leaks a significant amount 
of information to Eve about the bit extracted by Alice. Study 
still has to be done in whether the generic security method 
allows <\> to be non perfectly random. We considered three 
possible, alternative, solutions. 

One way to solve the problem, is to enlarge the lower 
bound for f. For example, if f > 1.5, then P(a € Cq\4> = 
0) « 0.5 and no information leaks to Eve. Because f becomes 
considerably large, this solution is not favorable. 
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Fig. 5. Discrete approximation of Pa(cl). 

A different solution that we considered is to make a discrete 
approximation of Alice's sampling distribution Pa{o) as in 
Fig. 13 It then holds that every value for cf) is equally likely, 
the value </> does not leak information to Eve and if Bob or 
Eve measures the squeezed state in the incorrect basis, the 
extracted bit is on average random. If we use this discrete 
approximation to calculate the average error probability e s 
caused by squeezed states, then we find that for a given 
squeezing parameter f, the value of e s increases (e.g. if 
r = 0.289 then e s = 0.119). We found that e s < 11% if 
f > 0.308. Although this discrete approximation seems to 
work, it is the case that the protocol resulting from the discrete 
approximation has no obvious entanglement based equivalent 
anymore such that the generic security proof [1] might not be 
applicable. We are still investigating the possibilities for this 
situation. In the following section we describe how we can 
transmit more than one bit per squeezed state, by making use 
of a similar discrete approximation of Pa{o)- 

It seems that for unconditional security, the bit encoding 
and/or decoding strategy of GPOO should be changed such that 
every value of <fi becomes equally likely while the sampling 



distribution Pa (a) and the squeezed states sent to Bob remain 
the same (this is the third solution we considered). By keeping 
Pa (a) and the squeezed states sent to Bob the same, the 
resulting protocol has the entanglement based equivalent as 
described in Section IVHI An idea to do this is to choose 
4> = \a\ mod yjii instead of (j> = a mod 1/7?. 

X. Sending more bits per squeezed state 

We describe a method, based on a discrete approximation 
of Pa(o-), by which we can send m bits per squeezed state. 
We show in more detail how to do this for 2 bits, how the 
method works for more bits will follow easily from the 2-bits 
case. The main difference with GPOO is the bit encoding and 
decoding scheme. We emphasize that unconditional security is 
not proven yet (see the comment on the discrete approximation 
solution in the previous section). 

Alice and Bob can extract 4 different messages per squeezed 
state, which are given by mo = 00, mi = 01, rri2 = 10 and 
m 2 2_! = 11. Alice samples a from a discrete approximation 
of Pa (a) such that all messages mo,... ma are equally 
likely. If o e £ o then Alice extracts bits m = 00, if 
a e Cqx then Alice extracts bits mi = 01 etc. where the 
encoding intervals £ 00 , . . . , £ n are illustrated in the graph 
on the left in Fig. |6] The discrete approximation of Pa (a) 
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Fig. 6. Encoding and decoding intervals for sending two bits. 



that satisfies the constraint is illustrated in Fig. Q With this 



then Bob extracts bit pair rrij. This means that Bob extracts 
bit pair m^ + k) mod 4 if z — a e Cfc, for k S {0, 1, 2, 3}. The 
decoding intervals Cq , . . . , C3 are illustrated in the graph on 
the right in Fig. [6] 

If Bob or Eve measures in the incorrect basis, then the 
message he or she extracts is random because of the discrete 
approximation used for Pa (a)- Suppose Alice and Bob use 
the same basis. Then, the lower bound for f seems to be 
comparable to that in the one-bit case. Research still has to 
be done for the exact value of the lower bound for f. 

We can do similar reasoning for sending 3 bits per squeezed 
states. In this case however, it seems that the lower bound for 
the squeezing parameter f increases. This is probably because 
the discrete approximation of Pa (a) becomes too stretched. 
The lower bound seems to increase even more when we send 
more than 3 bits per squeezed state. 

XI. Concluding Remarks 

It has been shown how to use a generic security proof to 
prove the security of GPOO, a QKE protocol that works with 
squeezed states. We studied a remaining weak point of the 
protocol and discussed some possible solutions. Elaborating 
on one of these possible solutions, we suggested a method to 
transmit more than one bit per squeezed state. 
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Fig. 7. Discrete approximation of P a (a) if we send 2 bits per squeezed 
state. 



discrete approximation, the value <p = a mod s/tv does not 
leak information to Eve and all messages m^ are equally 
likely. Alice sends the same squeezed state to Bob, as she 
would send in GPOO. For every squeezed state Alice computes 
and announces <fi = a mod y/n where < < ^n. The 
procedure at Bob's side is also similar to that in GPOO. For 
every squeezed state Bob decides at random to measure the 
position or the momentum. Suppose that the outcome of his 
measurement is z € K and that Alice extracted the message rrii 
where i £ {0, 1, 2, 3}. Bob rounds z — <f> to the nearest integer 
multiple of ^/tt. If this integer multiple is equal to j mod 2 2 , 



